fix: Restrict access to admin-only for AD_Server JSON endpoints

GHSA-j36m-74g2-7m95

Author: Daniel Neto

plugin/AD_Server/getData.json.php

@@ -2,6 +2,11 @@
 header('Content-Type: application/json');
 
 require_once '../../videos/configuration.php';
+
+if (!User::isAdmin()) {
+    forbiddenPage('You must be Admin');
+}
+
 allowOrigin();
 $obj = new stdClass();
 $obj->error = true;

plugin/AD_Server/reports.json.php

@@ -4,6 +4,10 @@
 
 require_once '../../videos/configuration.php';
 
+if (!User::isAdmin()) {
+    forbiddenPage(__('You cannot do this'));
+}
+
 // Fetch request parameters with safety checks
 $startDate = !empty($_REQUEST['startDate']) ? $_REQUEST['startDate'] . ' 00:00:00' : null;
 $endDate = !empty($_REQUEST['endDate']) ? $_REQUEST['endDate'] . ' 23:59:59' : null;

plugin/AD_Server/view/campaigns.json.php

@@ -3,6 +3,10 @@
 require_once $global['systemRootPath'] . 'plugin/AD_Server/Objects/VastCampaigns.php';
 header('Content-Type: application/json');
 
+if (!User::isAdmin()) {
+	forbiddenPage('You must be Admin');
+}
+
 $rows = VastCampaigns::getAll();
 ?>
-{"data": <?php echo json_encode($rows); ?>}
+{"data": <?php echo json_encode($rows); ?>}

plugin/AD_Server/view/campaignsVideos.json.php

@@ -3,6 +3,10 @@
 require_once $global['systemRootPath'] . 'plugin/AD_Server/Objects/VastCampaignsVideos.php';
 header('Content-Type: application/json');
 
+if (!User::isAdmin()) {
+	forbiddenPage('You must be Admin');
+}
+
 $rows = VastCampaignsVideos::getAllFromCampaign(intval(@$_POST['id']), true);
 ?>
-{"data": <?php echo json_encode($rows); ?>}
+{"data": <?php echo json_encode($rows); ?>}